072836005f0cb59f8729f0fda9ce366cbe272df9cdce1225f44400f3d4b78cb7

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe
Size

238KB
MD5

30060ce2349a0fd791a5fc9d68ce5457
SHA1

77d111c7d7e38c6d00b14f21b9f552aeaa3c0523
SHA256

072836005f0cb59f8729f0fda9ce366cbe272df9cdce1225f44400f3d4b78cb7
SHA512

f8128c3681465d8c8f38b5e70d1a14477ea6827627232941bf7ebe6919ce0bf7fa37fba598cbd62f122681e673cfe649f9bee1f84db72a59449bf7d0b1b182f2
SSDEEP

6144:AxE++swcKeRzubjnZSBxnHNvPmOu+QUrT610gj7Q:aElcViAB7vPBLZ

Score

8^/10

aspackv2 persistence upx

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 14 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\FastUserSwitchingCompatibility\Parameters\ServiceDll = "C:\\Windows\\system32\\FastUserSwitchingCompatibility.dll"	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nla\Parameters\ServiceDll = "C:\\Windows\\system32\\Nla.dll"	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Wmi\Parameters\ServiceDll = "C:\\Windows\\system32\\Wmi.dll"	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ntmssvc\Parameters\ServiceDll = "C:\\Windows\\system32\\Ntmssvc.dll"	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NWCWorkstation\Parameters\ServiceDll = "C:\\Windows\\system32\\NWCWorkstation.dll"	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\LogonHours\Parameters\ServiceDll = "C:\\Windows\\system32\\LogonHours.dll"	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\PCAudit\Parameters\ServiceDll = "C:\\Windows\\system32\\PCAudit.dll"	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Ias\Parameters\ServiceDll = "C:\\Windows\\system32\\Ias.dll"	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Irmon\Parameters\ServiceDll = "C:\\Windows\\system32\\Irmon.dll"	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\uploadmgr\Parameters\ServiceDll = "C:\\Windows\\system32\\uploadmgr.dll"	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Nwsapagent\Parameters\ServiceDll = "C:\\Windows\\system32\\Nwsapagent.dll"	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SRService\Parameters\ServiceDll = "C:\\Windows\\system32\\SRService.dll"	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WmdmPmSp\Parameters\ServiceDll = "C:\\Windows\\system32\\WmdmPmSp.dll"	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\helpsvc\Parameters\ServiceDll = "C:\\Windows\\system32\\helpsvc.dll"	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0009000000016ccd-7.dat	aspack_v212_v242

Loads dropped DLL 12 IoCs

pid	Process
2420	svchost.exe
2956	svchost.exe
2600	svchost.exe
2736	svchost.exe
2680	svchost.exe
2988	svchost.exe
2796	svchost.exe
2792	svchost.exe
2036	svchost.exe
2788	svchost.exe
1084	svchost.exe
440	svchost.exe

UPX packed file 42 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1368-0-0x0000000000AF0000-0x0000000000B3E000-memory.dmp	upx
behavioral1/memory/1368-2-0x0000000000AF0000-0x0000000000B3E000-memory.dmp	upx
behavioral1/memory/1368-1-0x0000000000AF0000-0x0000000000B3E000-memory.dmp	upx
behavioral1/files/0x0009000000016ccd-7.dat	upx
behavioral1/memory/2420-12-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/2420-10-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/2420-9-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/2956-17-0x0000000074170000-0x00000000741BE000-memory.dmp	upx
behavioral1/memory/2956-19-0x0000000074170000-0x00000000741BE000-memory.dmp	upx
behavioral1/memory/2956-18-0x0000000074170000-0x00000000741BE000-memory.dmp	upx
behavioral1/memory/2956-20-0x0000000074170000-0x00000000741BE000-memory.dmp	upx
behavioral1/memory/1368-21-0x0000000000AF0000-0x0000000000B3E000-memory.dmp	upx
behavioral1/memory/2600-25-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/2600-26-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/2600-27-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/2600-28-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/2736-34-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/2736-33-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/2736-32-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/2680-40-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/2680-42-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/2680-39-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/2988-48-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/2988-47-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/2988-49-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/2796-54-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/2796-56-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/2796-55-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/2796-58-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/2036-73-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/2036-71-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/2036-70-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/2788-79-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/2788-80-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/2788-78-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/1084-88-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/1084-86-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/1084-85-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/440-94-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/440-95-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/440-93-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx
behavioral1/memory/440-96-0x00000000746A0000-0x00000000746EE000-memory.dmp	upx

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nwsapagent.dll	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Wmi.dll	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ntmssvc.dll	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\NWCWorkstation.dll	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Nla.dll	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\uploadmgr.dll	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\FastUserSwitchingCompatibility.dll	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Irmon.dll	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WmdmPmSp.dll	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\LogonHours.dll	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\PCAudit.dll	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\helpsvc.dll	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ias.dll	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\SRService.dll	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1368	30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\30060ce2349a0fd791a5fc9d68ce5457_JaffaCakes118.exe"
1⤵
- Server Software Component: Terminal Services DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1368

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2420

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2956

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2600

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2736

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2680

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2988

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2796

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
PID:1240

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2792

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2036

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:2788

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1084

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\fastuserswitchingcompatibility.dll

Filesize
238KB

MD5
82088962faae470790bbaa426347be40

SHA1
e95fe7ca402667e4aae288b55eb7e9259b5836bd

SHA256
b43ad918059d67087a2bfa8d74622816c82fd6ed22d1998d97a8dadb53787131

SHA512
34f07839fb5e156f4ab2f2767877534b2dee1b40c273131db818cb573cf5bfa337bcd01ce368357cc446f436a2acfbc81f8081552126adcea636c813c86ab54d

Download Submit
memory/440-94-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/440-95-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/440-93-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/440-96-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/1084-85-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/1084-86-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/1084-88-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/1368-0-0x0000000000AF0000-0x0000000000B3E000-memory.dmp

Filesize
312KB

Download
memory/1368-3-0x0000000000150000-0x000000000019E000-memory.dmp

Filesize
312KB

Download
memory/1368-4-0x0000000000B39000-0x0000000000B3A000-memory.dmp

Filesize
4KB

Download
memory/1368-1-0x0000000000AF0000-0x0000000000B3E000-memory.dmp

Filesize
312KB

Download
memory/1368-2-0x0000000000AF0000-0x0000000000B3E000-memory.dmp

Filesize
312KB

Download
memory/1368-21-0x0000000000AF0000-0x0000000000B3E000-memory.dmp

Filesize
312KB

Download
memory/2036-73-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/2036-70-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/2036-71-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/2420-12-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/2420-9-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/2420-10-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/2600-26-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/2600-27-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/2600-28-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/2600-25-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/2680-42-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/2680-39-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/2680-40-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/2736-32-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/2736-34-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/2736-33-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/2788-79-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/2788-78-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/2788-80-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/2796-54-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/2796-56-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/2796-58-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/2796-55-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/2956-20-0x0000000074170000-0x00000000741BE000-memory.dmp

Filesize
312KB

Download
memory/2956-18-0x0000000074170000-0x00000000741BE000-memory.dmp

Filesize
312KB

Download
memory/2956-19-0x0000000074170000-0x00000000741BE000-memory.dmp

Filesize
312KB

Download
memory/2956-17-0x0000000074170000-0x00000000741BE000-memory.dmp

Filesize
312KB

Download
memory/2988-49-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/2988-48-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download
memory/2988-47-0x00000000746A0000-0x00000000746EE000-memory.dmp

Filesize
312KB

Download